diff --git a/modules/dblog/dblog.admin.inc b/modules/dblog/dblog.admin.inc
index 7c1c0e20f3e..0d5780cb018 100644
--- a/modules/dblog/dblog.admin.inc
+++ b/modules/dblog/dblog.admin.inc
@@ -294,11 +294,18 @@ function theme_dblog_message($variables) {
     else {
       $output = t($event->message, unserialize($event->variables));
     }
+    // If the output is expected to be a link, strip all the tags and
+    // special characters by using filter_xss() without any allowed tags.
+    // If not, use filter_xss_admin() to allow some tags.
     if ($variables['link'] && isset($event->wid)) {
-      // Truncate message to 56 chars.
+      // Truncate message to 56 chars after stripping all the tags.
       $output = truncate_utf8(filter_xss($output, array()), 56, TRUE, TRUE);
       $output = l($output, 'admin/reports/event/' . $event->wid, array('html' => TRUE));
     }
+    else {
+      // Prevent XSS in log detail pages.
+      $output = filter_xss_admin($output);
+    }
   }
   return $output;
 }
diff --git a/modules/dblog/dblog.test b/modules/dblog/dblog.test
index ad07688526c..b0a58ba4543 100644
--- a/modules/dblog/dblog.test
+++ b/modules/dblog/dblog.test
@@ -665,4 +665,32 @@ class DBLogTestCase extends DrupalWebTestCase {
     // Document Object Model (DOM).
     $this->assertLink(html_entity_decode($message_text), 0, $message);
   }
+
+  /**
+   * Make sure HTML tags are filtered out in the log detail page.
+   */
+  public function testLogMessageSanitized() {
+    $this->drupalLogin($this->big_user);
+
+    // Make sure dangerous HTML tags are filtered out in log detail page.
+    $log = array(
+      'uid' => 0,
+      'type' => 'custom',
+      'message' => "<script>alert('foo');</script> <strong>Lorem ipsum</strong>",
+      'variables' => NULL,
+      'severity' => WATCHDOG_NOTICE,
+      'link' => 'foo/bar',
+      'request_uri' => 'http://example.com?dblog=1',
+      'referer' => 'http://example.org?dblog=2',
+      'ip' => '0.0.1.0',
+      'timestamp' => REQUEST_TIME,
+    );
+    dblog_watchdog($log);
+
+    $wid = db_query('SELECT MAX(wid) FROM {watchdog}')->fetchField();
+    $this->drupalGet('admin/reports/event/' . $wid);
+    $this->assertResponse(200);
+    $this->assertNoRaw("<script>alert('foo');</script>");
+    $this->assertRaw("alert('foo'); <strong>Lorem ipsum</strong>");
+  }
 }